Wednesday, 6 July 2011

It is a vast expanse of best practice security measures, not at all easy to understand, and even less easy to apply to your personal situation. The headlines are as follows

12 Requirements

but 230 sub-requirements

and some estimates of 650 detail points

The PCI DSS in 2011 still remains an ongoing challenge for the overwhelming majority of PCI Merchants. Feedback we have had from working with a number of casino resorts, theme parks, ferry services and call centers over the past few months makes interesting reading for any other PCI Merchant wanting advice about PCI compliance.

Typically, one in every two Tier 2 and Tier 3 Merchants admit they do not understand the requirements of the PCI DSS. If you are either still working on implementing compliance measures identified in pre-audit surveys, or are not compliant and doing nothing about it, or are leaving everything to the last minute, don’t be too hard on yourself - nine out of ten Merchants are at the same stage.

In fact, it is fine to have a phased, prioritized approach and the PCI DSS Council fully recommend this strategy, mindful that Rome wasn’t built in a day.

Although the PCI DSS is sectioned loosely around twelve headline Requirements in terms of technologies (Firewalling, Anti-Virus, Logging and Audit Trails, File Integrity Monitoring, Device Hardening and Card Data Encryption) - and procedures and processes (physical security, education of staff, development and testing procedures, change management), you soon realize that there are threads that run horizontally through all requirements.

If you consider Requirement 1 of the PCI DSS, this is oriented around the need for a firewall and a fundamentally secure network design. However, you quickly end up with a secondary list of questions and queries. Do we need a diagramming tool? Do we need to automate the monitoring of firewall rule changes? (Incidentally, this is a task easily done using a good file integrity monitoring product) What is our Change Management Process? Is it documented

In this respect there is potentially a good argument for the creation of other versions of the PCI DSS oriented around procedural dimensions, such as password policies for all disciplines and devices, or change management for all disciplines and devices, and so on. Whilst the Prioritized Approach gives a good framework for planning and measuring progress, it is strongly advised that you also look up at every step and see which other requirements can be taken care of by the same measure being implemented. For example, file integrity monitoring is only specifically mentioned in Requirement 11.5, however, good FIM software solutions will underpin Requirement 1, requirement 2, and requirements 3, 4,5,6,7,8,10, and 12.

The general advice is that, even though it is very daunting, if you can get ‘intimate’ with the PCI DSS, both in spirit and in detail, then as with everything else in life, the better informed you are, the more in control you will be, and the less money and sweat will be wasted.

Summary

The PCI DSS may well challenge your pre-conceptions about what an Information Security Policy comprises - but there is plenty of help to draw upon.

In summary

Use vendor offers - a free trial of event log server software will allow you to see first-hand how much notice you are likely to be dealing with in your estate and how straightforward or otherwise an implementation might be before you spend any money

Use the PCI Security Standards Council website - tools like the Prioritized Approach spreadsheet will help breakdown the full PCI DSS into a more manageable series of steps and priorities

Look for quick wins and the best ‘bang for buck’ measures - implementing File Integrity Monitoring software for PCI compliance can take a big bite of the overall requirements and may be one of the simpler and affordable steps you take

What do you think? If you could give one piece of advice based on your own experience of PCI Compliance what would that be?